Introduction

This document describes microflow policing on Catalyst 6500 Series switches.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on a Cisco Catalyst 6500 Series switch that runs on a Supervisor Engine 720.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

Here is a use case for your consideration. There is a university requirement to limit each student to a bandwith of 10Mbps while they use the Internet. If aggregate policing is configured, then there is an unequal distribution of bandwidth among the students. Microflow policer is better able to help us acheive this task.

Source 10.0.0.1 sending a tcp stream to 15.0.0.1 with a source tcp port of 50and destination 2000Source 10.0.0.1 sending a tcp stream to 15.0.0.2 with a source tcp port of 60and destination 2000.

If classification is done based on the SRC-IP, then the number of flows equals one. If classification is done based on the DST-IP, then the number of flows equals two. If classification is done based on the DST Port, then the number of flows equals one.

Note: Microflow policers can only be applied in the ingress direction, unlike the aggregate policer.

When we apply a service policy under an interface, either the physical interface or the Switch Virtual Interface (SVI), the service policy is programmed in the hardware. Quality of Service (QoS) Ternary Content Addressable Memory (TCAM) is used in order to store the entry. Additionally, since the switch must remember the flows, it stores individual flow information in the hardware. NetFlow TCAM is used for this purpose. Hence, there are two places where you can check the programming in the hardware: the Access Control List (ACL) TCAM and the NetFlow TCAM.

Since the same NetFlow TCAM is used by other features, like Network Address Translation (NAT), NetFlow Data Export (NDE), and Web Cache Communication Protocol (WCCP), it is possible that there is a conflict in the microflow policer programming in the hardware. Some TCAM conflict scenarios are provided at the end of this document.

Configuration Examples

Example 1

There is a Cisco Catalyst 6500 Series switch engaged in interVLAN routing. The sources of traffic are located in VLAN 20, and have these IP addresses: 20.20.20.2 and 20.20.20.3. Both of the sources try to send traffic towards the IP address 30.30.30.2, which is located in VLAN 30. The goal is to allocate 100Kbps of bandwidth to each source.

Create and map an ACL in a class-map in order to match the traffic that comes from these two sources.

Apply the service policy under the ingress SVI or under the ingress physical interface. In case you apply it under the interface VLAN, configure mls qos vlan-based under the physical interface. This instructs the Cisco IOS® to look for a policy under the interface VLAN as soon as a packet reaches a layer 2 interface in a specific VLAN.

interface vlan 20service-policy input POLICE_DIFF_SRC

Example 2

There is a Catalyst 6500 Series switch engaged in layer 2 switching of the traffic in the same VLAN. This example deomonstrates how to restrict traffic that comes from 10.10.10.2 and goes towards 10.10.10.3 in VLAN to 100Kbps of bandwidth. In order to have the policer affect layer 2-switched traffic, you must enter the mls qos bridged command under the interface VLAN 10.

If there is a Distributed Forwarding Card (DFC)-enabled Line Card (LC) present in the chassis, then the QoS polices are programmed separately for each DFC and Policy Feature Card (PFC). The module number gives the entry for the PFC/DFC in slot 1.

Supervisor Engine 720 creates an Aggregate ID (AgID) for every aggregate policer that is created. 1020 AgIDs are the maximum usable IDs, which is a hardware limitation. This is not relevant for the microflow policer, but is a useful command for the aggregate policer.

The trust field holds no relevance in this case.

FL ID=1, as discussed previously.

The AgForward?By and AgPoliced-By are not used in order to calculate packets that are transmitted or dropped by the microflow policer (there is a separate command for that). However, the same counters are used in order to calculate packets transmitted/dropped by an aggregate policer.

Enter the show tcam int < vlan/or physical interface> qos type1 ip command in order to determine if the ACL is programmed in the QoS TCAM.

Because of a flow mask conflict with other features configured under the same interface, the microflow policer might not be able to cache flows in NetFlow TCAM.

It is important to understand the concept of flow mask. In order to support hardware acceleration of certain features, there are dedicated pieces of hardware (TCAMs) that are used in order to install certain features. There are multiple features which use the same TCAM, such as NAT WCCP NetFlow. They use a TCAM that is commonly called the NetFlow TCAM, whereas for features like security ACLs, Policy-Based Routing (PBR) uses the ACL TCAM.

For the NetFlow TCAM, a flow mask is needed in order to install entries in the hardware. NetFlow flow masks determine the granularity of the flows to be measured. Very specific flow masks generate a large number of NetFlow table entries, and a large volume of statistics to export. Less specific flow masks aggregate the traffic statistics into fewer NetFlow table entries, and generate a lower volume of statistics.

Enter the show fm summary command, and determine if the interface is in an inactive state. An Inactive state indicates that there is some feature configured under the interface that cannot be programmed in the hardware. Packets received on that interface that require that feature are programmed in the software.